An Insider’s Take on API Strategy

We recently performed a survey to take the pulse of our community on their own API strategies. Our goal was to change and possibly debunk our own assumptions, and replace them with real-world perspectives from customers and partners working on these things day in and day out.

In short, we validated that the fast adoption and sheer volume of APIs has been a double-edged sword.

From a business perspective, APIs have let teams reuse features and functionality across the organization in new and powerful ways. What used to require manual or batch processes now happens quickly, automatically and often in real time. From a technical perspective, internal teams see APIs as a force multiplier to simplify and scale their operations at a fraction of the cost. As we step out to consider our partners, we discovered that, more than ever, they use APIs to accomplish their goals by remixing our data with their own.

The sharper edge comes from aspects such as testing and security. In 92% of cases, our survey showed that APIs are developed with little to no interaction from outside of their immediate team. Developers are building and launching systems without involvement from Security or Operations teams. Product managers don’t have a detailed understanding of who is using their APIs, or for what. And IT is completely kept in the dark. Some respondents went as far to say that they “don’t do anything for API security”, which is a disturbing realization at best.

First, the good news:

• 98% of respondents said they had an API strategy in place
• 95% are planning to invest in APIs in the near future
• 28% said their strategies were already “successfully planned and implemented”
• An additional 44% said their strategies were “likely to succeed”

But there’s some bad news too:

• Only 36% said Security teams perform audits of their APIs
• Only 4% said Product Managers approve the launching of their APIs
• Only 8% of respondents said Engineering, IT, Security, and Product Management were all involved in API security

Most organizations feel safe because 60% of their APIs are for internal developers, while 37% are for partners, and a tiny 9% are for external third-party developers. Unfortunately, this is the biggest risk of all because a successful internal API often becomes a partner API, and partner APIs are external by definition. In this case, success introduces risk that we must consider, and mitigate as early as possible.

Your API strategy must be a team sport. Your product managers must know the goals set for the API as they are planned, and the metrics to meet before they launch. Instead of reinventing the wheel, your developers must choose and implement common standards and follow good practices. Your security team needs to know and validate your authorization policies. And finally, your operations team should understand what normal traffic looks like, and how to identify and interrupt anomalies.

The good news is that none of these problems are new or unsolvable.

The bad news is that too many organizations have yet to recognize these problems and solve them.

Got a minute? Review the details of the survey right here > API Strategy: Executive Survey